Application Security , Next-Generation Technologies & Secure Development
Akamai, Cloudflare, Imperva Top App & API Defense Gartner MQBig Shifts in Gartner Magic Quadrant as Cloud Deployments Replace Appliance Market
Cloudflare has crashed the party for top-performing web application and API protection vendors, joining longtime leaders Akamai and Imperva atop the latest Gartner Magic Quadrant.
Gartner has observed more separation between the leaders in this market and the rest of the pack, with three vendors - Barracuda, F5 and ThreatX - that tumbled from the categories of visionaries or challengers last year to the lowest spot, niche players. Analysts from Gartner weren't immediately available for additional comment on this year's report.
Gartner this year focused only on web application and API protection capabilities delivered as cloud services. That's in stark contrast with previous years, where both appliances and cloud WAAP technologies were considered by Gartner. The decision to no longer factor in WAAP appliances materially changed where vendors were positioned in this year's Magic Quadrant, according to Gartner.
"In the past 12 months, cloud WAAP has been the dominant form factor for new deployments in the Americas and EMEA," the authors wrote. "Unlike the WAAP appliance market, which is dominated by replacement purchases, the cloud WAAP market continues to experience double-digit growth, thanks to new customers, new applications to protect and shifts from appliances to cloud-delivered security."
The 2022 Magic Quadrant has three leaders and five niche players. Fortinet and Microsoft have been in the niche category both years, but Gartner included only three firms in the visionaries and challengers ranks combined. That's down from six a year ago. Radware has been in the visionary category both years, with Amazon Web Services and Fastly categorized by Gartner as challengers in both 2021 and 2022.
Six vendors with some web application and API protection capabilities didn't make it into the Magic Quadrant for failing to meet Gartner's technical or revenue inclusion criteria. They are Alibaba Cloud, Citrix, Cloudbric, Google, Indusface and NSFocus.
Gartner recognized Boston-area digital experience vendor Akamai for having the most complete vision and strongest execution ability around web application and API protection. San Francisco-based security and performance services vendor Cloudflare took silver for its ability to execute in the Gartner race, while Silicon Valley-based data security vendor Imperva was bestowed bronze.
As for completeness of vision, Gartner awarded Imperva the silver and Tel Aviv-based cybersecurity and application delivery provider Radware the bronze. Cloudflare came in fourth in the category.
Although the overall cloud WAAP market is mature, Gartner says certain segments - such as bot management and API threat protection - continue to be quite dynamic. API security has become a key part of WAAP evaluations, Gartner has found, with WAAP providers competing against more specialized API threat protection vendors. More vendors have introduced decent API discovery capabilities in the past year.
"Providers of the more mature bot mitigation modules face reinvigorated competition from the remaining bot mitigation specialists, and have focused their efforts on a few differentiators," Gartner Magic Quadrant authors Jeremy D'Hoinne, Adam Hils, John Watts and Rajpreet Kaur wrote.
Akamai Puts Customer Rule-Setting in the Rearview Mirror
Akamai has boosted its adaptive security engineer feature so organizations don't have to set up, deploy, tune and manage thousands of rules for each of their applications, says Vice President of Product Management Eric Graham. Instead, Graham says, Akamai proactively recommends how to localize its rules to each customer application based on its view of the internet and understanding of what malicious attacks look like.
Over the past year, Graham says, Akamai has taken this from an approach used for a subset of customers in an entry-level product to having 70% of all customers use this across their production environments. Akamai's top challenge has been convincing users they no longer have to go through a protracted process to secure their apps, given the company's understanding of what normal and abnormal look like.
"The problem area keeps expanding, and we keep having to innovate," Graham says.
Gartner criticized Akamai for high prices, confusion around their portfolio transition, false positives and user interface complexity. Graham acknowledged that Akamai's price point is higher than others in the market but says that correlates to the value the firm provides. Akamai's portfolio refresh has resulted in a bit of confusion, and Graham says the company's new website aims to make the new portfolio clearer.
Simplifying the user interface is a never-ending journey given that Akamai is continuously expanding to protect against more types of threats, which resulted in the need to streamline existing capabilities. And false positives tend to result from periods of more intense adversarial pressure, forcing the company to look at its efficacy across all customers to determine if something is occurring outside the norm, he says.
Cloudflare Focuses on Threat Intel, API Protection
Cloudflare has focused over the past year on strengthening its anomaly detection for API traffic, beefing up its threat intelligence capabilities and building out functionality across client-side security, says Vice President of Product Patrick Donahue. The company is using unsupervised machine learning to identify where APIs are and what's exposed to the internet and to determine if someone has taken an unusual path through an API.
"We didn't enter the MQ until 2016, so we're quite happy with that 'up and to the right' march we've done over the years and happy to be recognized there," Donahue says. "The breadth and homogeneity of our network is something that underpins our advantage. We run the same security services on every data center and every machine."
Gartner criticized Cloudflare due a lack of hybrid deployment, inconsistent support, insufficient forensic analysis and a cluttered and confusing user interface. Donahue says Cloudflare made the choice to focus only on cloud rather than hybrid deployments and is expanding its forensic tools from real-time analytics to PDF-style reports. Cloudflare has enlisted specialist groups to support different parts of the portfolio.
"Our strategy from the outset as a newer entrant to the market has always been a pure play cloud offering," Donahue says. "We just strategically have decided to not do any sort of hybrid deployment."
Imperva Debuts API Security Tool to Block Automated Attacks
Imperva API Security in March debuted a solution to enable API discovery, monitoring, data classification, GraphQL support, API testing and validation, says Vice President of Application Security Ryan Windham. The new offering allows developers and security teams to see into the API's underlying payload and protects critical applications and infrastructure from automated attacks, online fraud, DDoS attacks and API abuses.
Windham says the company recognized years ago that cloud-native application development was going to force the web application firewall market to evolve, prompting Imperva to expand into API security, DDoS protection, bot management and runtime protection through strategic acquisition. Imperva is the only company to provide integrated protection and visibility from the edge to the app or API and down to the data.
"Unlike others in the WAAP market, Imperva is a pure play cybersecurity company," Windham tells Information Security Media Group in an email. "Others started in content delivery or cloud services and later migrated into security. However, they don't have the same domain expertise that Imperva has gained since our founding 20 years ago."
Imperva's leadership in its sales and distribution channel teams has changed a lot, which Gartner says has adversely affected Imperva's road map execution and overall market presence. The company also lags behind other vendors in supporting use cases around a containerized WAAP offering, Gartner says, adding that the company's presence in Asia-Pacific lags behind that of its direct competitors (see: Imperva's Breach Post-Mortem: API Key Left Exposed).
Customers told Gartner that Imperva's late support for TLS 1.3, lack of single sign-on for back-end applications, and subpar certificate management are weak spots for the company. Imperva declined to respond to Gartner's cautions or discuss how the company plans to address them in the year ahead.